DOJ Misled Judges For Years About How It Was Using Stingray Devices To Spy On People

from the well-of-course dept

How many times does it need to be repeated? If you give law enforcement the ability to spy on people -- even with limits -- law enforcement will always blow through those limits and abuse its powers. It happens over and over and over again. And that becomes doubly true when law enforcement has worked out ways to avoid oversight. Back in 2011, the WSJ broke a huge story about the frequent use by government officials of a technique for mobile device surveillance generically called "stingray" devices (technically, there are a few products used for this, only some of which are actually called Stingrays, but the name is now used to refer to all of them). The device works by pretending to be a mobile phone tower, so devices can connect to it, and law enforcement gets all your data. It's basically a cellular man-in-the-middle attack, with law enforcement being that man in the middle. Yay.

The technology has been a key component in a case involving Daniel Rigmaiden, which we wrote about last year. Rigmaiden was taken into custody (on a fraud charge) and, representing himself in court, he has sought more info on how he was tracked down -- leading to some reluctant disclosure about law enforcement using Stingray devices on questionable authority to find him. In that case, we noted that law enforcement claimed it had a court order to use the technology, but the judge was confused, asking where were the warrants for the use of the device. The judge asked how it was possible that a court order or warrant was issued without the judge ever being told about the technology used in surveillance and was told, simply, "it was a standard practice."

As some of you may be aware, our office has been working closely with the magistrate judges in an effort to address their collective concerns regarding whether a pen register is sufficient to authorize the use of law enforcement's WIT technology (a box that simulates a cell tower and can be placed inside a van to help pinpoint an individual's location with some specificity) to locate an individual. It has recently come to my attention that many agents are still using WIT technology in the field although the pen register application does not make that explicit.

While we continue work on a long term fix for this problem, it is important that we are consistent and forthright in our pen register requests to the magistrates…

Basically, that's the DOJ admitting that it has not been forthright or explicit in letting judges know that it is going to use this extremely intrusive form of surveillance in seeking approvals. And the courts have been concerned about this. As the ACLU notes, this email was written three years after the Rigmaiden situation happened -- suggesting that the DOJ has been getting away with this sort of thing for many years, without anyone digging in. The ACLU is now arguing that this should be a reason to suppress the evidence obtained via these devices, and will ask the court to "send a clear message" that it cannot hide the truth from federal judges in seeking rubber stamps to violate the privacy of the public.

Reader Comments

and of course the judges will do exactly that! i dont think! they are told what they can and cant, will or wont do. if doing what they SHOULD do so as to protect the public, they will be out of jobs. there is no way that any law enforcement agency is going to allow a judgement to stand when it may inhibit an investigation where they are determined to pin charges on someone, true or false, and where they want to instill a jail sentence because they need to 'save face' or something similar. we have the Swartze case, the 'weev' case and the Dotcom case. all cases are a farce on the behalf of the DoJ, but they wont back down, they admit they were wrong, prefering to carry on lying until one judge comes along and gives them what they want! they have dragged others down so far and the obliging judge will go the same way, not that the DoJ will worry about it in the slighest

When perpetrated by individuals, a mitm attack will be met with severe penalties. Apparently it is completely acceptable for governmental agencies and their cronies to engage in the exact same thing. The difference, or so we are told, is that the individual has nefarious purposes while the big brother types are simply looking out for your best interests security wise - wink wink.

Fear

I am starting to think these days that Judges are afraid of the Government when they just don't seem to call them to account or to punish them for their bad actions. So it is almost like they say "Do what we say or we will fire you and give someone else your job"

This is why the Justice system always needs to be fully independent to the Administration to be able to uphold law and justice without political bullying, pressure or interference.

Re: Fear

Re: Fear

The unprecedented berating Supreme Court judges at a state of the union address seemed to prove effective. This administration has no qualms about trying to influence the highest levels of the "independant" judiciary, so lower court judges being fearful is understandable.

Re: Re: OT: These ads on the bottom

The judges are obviously in a rough spot. On the one side one can argue that those devices and techniques don't do any direct harm and help to convict criminals - depsite them being questionable/illegal.

On the other hand, if the judges just keep dismissing all cases and set those to-be-found-guilty "criminals" free and then something happens, everybody would blame the judges for not having convicted and incarcerated them.

what all law enforcement agencies and the government seem to want to do is throw all justice, courts, judges and the Constitution in the trash and be given a carte blanche. they can then do what they want, when they want, to whom they want, how they want and have no come backs. trying to think of the type of society, the type of government that reminds me of. anyone help me out??

Just Trust Us

We are seeing more and more that when you work for the DOJ its OK to do anything, even if its illegal. Just make sure the legal doublespeak obfusticates it. As a citizen, watch out for double jeoperdy with charges at the state and federal level (and don't even start THINKING about committing a crime because just talking about it is going to be just as bad as doing it). How do they maintain a straight face with all of these double standards.

Is only the tip of the iceberg. Cell phone location data can be purchased for ~30/month in many states with nothing more than a request. Its an national problem and constitutional tragedy. Some of this can be mitigated with strict privacy regulation and more personal control of the phone OS but not all.

With some political public browbeating the location data can be forced to remain in the tower and not sent and recorded centrally. Search warrants for cell tower dumps would be required for law enforcement otherwise.

We are not talking about a most efficient system but one that meets individual privacy needs.

The situation is so weird that cell phone companies will sell/give almost anyone your location but you:

My complaint would be what laws were broken and if none... wth? What protects the citizen from the government? Will anyone get fired and lose their pension for acting in a way unbecoming of a government official or by throwing out basic constitutional rights to make an admittedly hard job easier?

Having a law enforcement job is like having a job that defends the constitution (is the badge getting congressionally tarnished lately?) and it was never an easy and especially never a safe job. Apply for a job as an office worker or ice cream truck sales job if one wants to have a safer job. Being, most likely, constitutionally lazy and sloppy is a poor operational excuse.

Time for some judicial guidelines reform. Time for some tort (sentencing reform) reform, time for some copyright term reduction, time for some copyright Fair Use as easy and normal reform, time for a lot of things.

Government is EVIL

More proof that Govt is the greater evil. The evils of Govt are boundless, unless held in check, as the authors of the US’s founding documents warned us about.

So John “Mr. BIG Govt” Fenderson, are you still confessing that Govt is easier to control than Corporations - "...if we had to choose between those two Bigs (and I don't think we do), then I choose Big Government. It's easier to fix the government (who is us) than major corporations (whose behavior we have little to no say in.)…"
Quote reference: John Fenderson “It's easier to fix the government…"

Re: Government is EVIL

(THAT should be a sign next to EVERY flag in EVERY classroom in uhmerika...)

we sheeple have slept too long: we have let a professional klass of politicians take over the vigil, and they have been -as is inevitable- co-opted and corrupted...

the korporate media are no longer the proxies of us 99%, but the lapdogs of the 1%... there is NO VIGIL, the fucking foxes are guarding the henhouse now, and all we get are horsefeathers and bullshit...

Re: Government is EVIL

Yeah corporations are easier to control...NOT In the 1950's-1960's the corporations were polluting so badly rivers were on fire, Lake Erie was dead, the London killer fog left hundreds dead, 3rd world pollution was a nightmare (read up on Texaco and Honduras)....if the environmental movement hadn't stepped in the corporations would have killed us all.
My take: government is evil, Corporations are evil-er

Illegal search. Period.

Meanwhile, a pen register order allows intercepting called numbers *only*. Certainly not content of voice conversations or anything similar.

It seems clear, then, that if an MITM device is used with only a pen register warrant, any evidence resulting should be thrown out of court, whether or not they actually used the ability to intercept the content of voice calls or other things clearly forbidden with just a pen register. Such a policy by the courts would force LE to get the proper sort of warrant.

At the same time, there are steps private industry could take to improve the privacy of wireless customers. Namely, wireless encryption and authentication like WiFi uses. You can't accidentally connect to a WiFi network masquerading as the one you normally use; the encryption won't work (wrong key) even if the network spoofs the name of the familiar one. Similarly, it wouldn't be hard to change cellular protocols so that the phone and tower authenticate, and the phone won't connect to "towers" not belonging to the cellular provider your phone's configured to use. So if it's set up to use AT&T, it won't connect to a "tower" that doesn't authenticate itself to the phone as an AT&T tower.

This has benefits for both the public and the telco. On the public side, their privacy is more assured if a) phone-to-tower communications are all encrypted and b) their phone cannot be fooled by a spoofed tower (which might not be LE with a legitimate warrant or even LE without a warrant; it might be hackers, or the mob, or who the hell knows?). Further to that, if LE has to go through the phone company to get a live location trace, they're forced to get the proper warrant for such a thing and the telco is not going to give them anything extra (such as the ability to intercept voice call content) beyond what the warrant allows.

On the telco side, telcos love to charge LE money for access to info on their customers, and they'd be able to charge for the information that the use of Stingray devices currently lets LE get for free. Of course, this kind of thing already creates perverse incentives for telcos to sell information to LE eagerly even without a warrant, so a clear rule is needed that such information is inadmissible in court without a warrant specifically for the information used.

Re: Illegal search. Period.

"So if it's set up to use AT&T, it won't connect to a 'tower' that doesn't authenticate itself to the phone as an AT&T tower."

But if they have a warrant, they'll probably just be able to force AT&T to give them a code that says they ARE a valid tower. I know that in the past they've passed laws forcing phone companies to build easier-to-tap land lines. Since new towers can be built at any time, you can't just hardcode a list into the phones.

Although, this would STILL be a good idea, to prevent MITM from people who are NOT law enforcement.

Re: Re: Illegal search. Period.

First of all, I propose the towers authenticate to the phones in a manner similar to how EV SSL certs work -- if the telco builds a new tower they'll sign its identification certificate with their big corporate key and phones will recognize it. It'd be similar to how Google can add a new server with a new IP address to handle gmail and browsers will happily recognize the new IP as being genuinely Google's.

Second, getting a warrant for a telco's private certificate-signing keys so as to be able to impersonate that telco to computer equipment seems like it would be a mite difficult compared to simply getting a wiretap-like order for real-time location data of a particular target to serve on said telco.

I really want to have a court examine whether or not it is legal for your average citizen to conduct themselves in the same way police do without the warrant. Isn't the warrant supposed to be the special permission police get to essentially break the law? If they don't need a warrant, can I not do the same thing?

Here's hoping for a continuation of common sense rulings pushing back absurd government spying. NSLs got banned just recently. Hopefully the court in this case will react appropriately to the news that the DOJ has been lying to judges for years.

What I would propose is a combination of public and private key encryption.

Public key encryption is nice and fairly private keeing in mind the rapid advances in computer technology makes even 512 bit encryption weak these days for a concerted effort. 2048 bit wold be nice for now. The problem is that almost all the prime number combinations have been already calculated demanding elliptic and other formulas (possibly something fractal in future) to hide keys.

So we have private key encryption of unlimited bits. When you meet someone and share cell phone numbers a bit of very short range local wifi (infrared or direct connect by touch?) could share a large key for personal private encoded talking. It would be changed every time you met in person if one was worried about it.

There are some legal technicalities of international calls but expect then not to interfere between personal friends.